Industry stakeholders and the ERO Enterprise generally expressed support for FERC’s proposal to approve 11 proposed reliability standards intended to allow utilities to use virtualization technology, particularly calling on the commission to leave intact language in the standards that could allow exceptions to the new standards to be granted more easily (RM24-8).

Commenters on a second Notice of Proposed Rulemaking also supported a further modification to one of those standards that would improve cybersecurity at low-impact grid-connected cyber systems (RM25-8).

FERC issued both NOPRs in September along with a final rule directing NERC to develop standards addressing supply chain risk management and an order approving the ERO’s most recent cold weather standard. (See FERC Tackles Cybersecurity in Multiple Orders.) The virtualization updates touched almost every entry in the library of Critical Infrastructure Protection (CIP) standards:

• • CIP-002-7 (Cybersecurity — BES cyber system categorization)
  • CIP-003-10 (Cybersecurity — security management controls)
  • CIP-004-8 (Cybersecurity — personnel and training)
  • CIP-005-8 (Cybersecurity — electronic security perimeters)
  • CIP-006-7 (Cybersecurity — physical security of BES cyber systems)
  • CIP-007-7 (Cybersecurity — systems security management)
  • CIP-008-7 (Cybersecurity — incident reporting and response planning)
  • CIP-009-7​ (Cybersecurity — recovery plans for BES cyber systems)
  • CIP-010-5 (Cybersecurity — configuration change management and vulnerability assessments)
  • CIP-011-4 (Cybersecurity — information protection)
  • CIP-013-3 (Cybersecurity — supply chain risk management)​

Commissioners wrote that they supported NERC’s efforts to integrate virtualization and other new technologies into the grid but questioned the ERO’s proposal to replace the phrase “where technically feasible” in some standards with “per system capability” when granting exceptions to the new requirements. FERC asked stakeholders whether there is still a need for a technical feasibility exception (TFE) program, whether the proposed changes would result in entities seeking new exceptions and alternate approaches that would meet the ERO’s goals while allowing effective oversight.

In its response, NERC wrote that the “per system capability” language provides enough flexibility “to ensure the proposed … standards are forward-looking and enable responsible entities to adopt new technologies securely” but “does not absolve an entity from implementing methods to achieve the security objective.” The ERO observed that entities would be generally expected to “achieve the objective [of a given standard] by other means” if unable to implement the technology mentioned in the standard.

Compliance monitoring and enforcement engagements can also give the ERO insight into “how a responsible entity is mitigating risk unique to its environment,” not just its compliance with the letter of the standards, NERC wrote. The ERO wrote that under the existing standards, it collects data on technical feasibility exceptions each year, entities’ engagement with this program “has remained relatively stable over the past three years,” and entities are already required to explain how they are addressing the risks identified in the standards.

“NERC does not anticipate this trend shifting much with the transition to ‘per system capability’ language,” NERC wrote. “Responsible entities are likely to continue to use the mitigating approaches they are already implementing, and the TFE program has given NERC and the regional entities experience into what to expect as mitigating measures for ‘legacy’ systems.”

MRO’s NERC Standards Review Forum (NSRF) also wrote in support of the new language, explaining that the change “is designed to accommodate long-term situations” because the annual TFE reports require “administrative work that provides no benefit to the reliability of the grid [and] also have not proven to be beneficial.” The NSRF observed that “per system capability” or “per device capability” language “has been part of the CIP standards since 2016” and predicted that the proposed changes “should not impact the need for exception.”

The Bonneville Power Administration wrote that “exceptions to the CIP … standards are still necessary” because otherwise, “many utilities would be forced to immediately replace functional equipment at great cost and risk to reliability.” BPA added that it expected NERC and the REs to apply the same expectations to “per system capability” exceptions that it does to the TFE program, which REs can review through audits rather than requiring a separate process for approval.

NERC Argues Against Low-impact Study

In its other NOPR, FERC sought comment on its proposal to approve CIP-003-11 (Cybersecurity — security management controls), intended to address the risk of a coordinated attack using low-impact cyber systems.

Citing the China-linked Volt Typhoon group, which has been accused of embedding itself in the information technology networks of U.S. critical infrastructure organizations, the commission asked whether such actors could pose a threat to grid reliability and whether FERC should direct NERC to perform a study or develop a white paper on the issue.

NERC wrote against this suggestion, arguing that the organization is already studying relevant topics and that an order to conduct another study would be unnecessary. The ERO cited a 2023 data request that collected information from utilities on remote access incidents, along with a nonpublic Level 2 alert issued earlier in 2025 providing recommendations on remote access. Responses from industry “enabled NERC to further analyze the risks associated with cross-border remote access” to grid elements, the organization wrote.

ERO staff are “in the final stages … of developing recommendations” on the risk of remote access that will be published in a report by the end of the year, NERC continued. This report “will include detailed recommendations and next steps … that will inform NERC CIP reliability standards priorities over a multiyear horizon starting in 2026.” Because of this and other ongoing projects, NERC asked that FERC refrain from requiring further studies at least until the ERO has identified its next steps.